aboutsummaryrefslogtreecommitdiffstats
path: root/lang
diff options
context:
space:
mode:
authorale <ale@FreeBSD.org>2006-10-16 17:30:58 +0800
committerale <ale@FreeBSD.org>2006-10-16 17:30:58 +0800
commitb8e6a8ac6f955d1a2ca3f21c517a0de67897b6ef (patch)
treece726f126e5db262557c17b8ebd4c326b332d0d6 /lang
parentd738d27d48f69016909b9b76d85be1cc2a311b3b (diff)
downloadfreebsd-ports-gnome-b8e6a8ac6f955d1a2ca3f21c517a0de67897b6ef.tar.gz
freebsd-ports-gnome-b8e6a8ac6f955d1a2ca3f21c517a0de67897b6ef.tar.zst
freebsd-ports-gnome-b8e6a8ac6f955d1a2ca3f21c517a0de67897b6ef.zip
- fix open_basedir vulnerability in php4 and php5 [1]
- add an alert on safe_mode intrinsic insecurity and suggest to install the suhosin extension - enable the suhosin patch by deafult also in php4 Submitted by: Thomas Vogt <thomas@bsdunix.ch> [1] Obtained from: PHP CVS [1] Approved by: portmgr (clement)
Diffstat (limited to 'lang')
-rw-r--r--lang/php4/Makefile6
-rw-r--r--lang/php4/files/patch-ext_standard_dir.c20
-rw-r--r--lang/php4/files/patch-main_php_open_temporary_file.c43
-rw-r--r--lang/php4/files/patch-php.ini-dist18
-rw-r--r--lang/php4/files/patch-php.ini-recommended18
-rw-r--r--lang/php5/Makefile2
-rw-r--r--lang/php5/files/patch-ext_standard_dir.c20
-rw-r--r--lang/php5/files/patch-main_php_open_temporary_file.c43
-rw-r--r--lang/php5/files/patch-php.ini-dist18
-rw-r--r--lang/php5/files/patch-php.ini-recommended18
-rw-r--r--lang/php53/Makefile2
-rw-r--r--lang/php53/files/patch-ext_standard_dir.c20
-rw-r--r--lang/php53/files/patch-main_php_open_temporary_file.c43
-rw-r--r--lang/php53/files/patch-php.ini-dist18
-rw-r--r--lang/php53/files/patch-php.ini-recommended18
15 files changed, 302 insertions, 5 deletions
diff --git a/lang/php4/Makefile b/lang/php4/Makefile
index 165cacf8d818..6d8269cb5da8 100644
--- a/lang/php4/Makefile
+++ b/lang/php4/Makefile
@@ -7,7 +7,7 @@
PORTNAME= php4
PORTVERSION= 4.4.4
-PORTREVISION?= 0
+PORTREVISION?= 1
CATEGORIES?= lang devel www
MASTER_SITES= ${MASTER_SITE_PHP:S,$,:release,} \
http://downloads.php.net/ilia/:rc \
@@ -37,7 +37,7 @@ OPTIONS= CLI "Build CLI version" on \
CGI "Build CGI version" on \
APACHE "Build Apache module" off \
DEBUG "Enable debug" off \
- SUHOSIN "Enable Suhosin protection system" off \
+ SUHOSIN "Enable Suhosin protection system" on \
MULTIBYTE "Enable zend multibyte support" off \
IPV6 "Enable ipv6 support" on \
REDIRECT "Enable force-cgi-redirect support (CGI only)" off \
@@ -53,7 +53,7 @@ MAN1= php-config.1 phpize.1
.include <bsd.port.pre.mk>
-.if defined(WITH_SUHOSIN)
+.if !defined(WITHOUT_SUHOSIN)
PATCHFILES= suhosin-patch-${PORTVERSION}-0.9.5.patch.gz
PATCH_SITES= http://www.hardened-php.net/suhosin/_media/
PATCH_DIST_STRIP= -p1
diff --git a/lang/php4/files/patch-ext_standard_dir.c b/lang/php4/files/patch-ext_standard_dir.c
new file mode 100644
index 000000000000..ef819306883b
--- /dev/null
+++ b/lang/php4/files/patch-ext_standard_dir.c
@@ -0,0 +1,20 @@
+--- ext/standard/dir.c.orig Mon Oct 16 06:59:56 2006
++++ ext/standard/dir.c Mon Oct 16 07:00:06 2006
+@@ -16,7 +16,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: dir.c,v 1.109.2.18.2.2 2006/01/01 13:46:57 sniper Exp $ */
++/* $Id: dir.c,v 1.109.2.18.2.3 2006/10/04 23:20:02 iliaa Exp $ */
+
+ /* {{{ includes/startup/misc */
+
+@@ -275,7 +275,7 @@
+ RETURN_FALSE;
+ }
+
+- if (PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) {
++ if ((PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) || php_check_open_basedir(str TSRMLS_CC)) {
+ RETURN_FALSE;
+ }
+ ret = VCWD_CHDIR(str);
diff --git a/lang/php4/files/patch-main_php_open_temporary_file.c b/lang/php4/files/patch-main_php_open_temporary_file.c
new file mode 100644
index 000000000000..1af8a22b5a6e
--- /dev/null
+++ b/lang/php4/files/patch-main_php_open_temporary_file.c
@@ -0,0 +1,43 @@
+--- main/php_open_temporary_file.c.orig Mon Oct 16 07:26:57 2006
++++ main/php_open_temporary_file.c Mon Oct 16 07:27:01 2006
+@@ -16,7 +16,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: php_open_temporary_file.c,v 1.18.2.10.2.3 2006/05/23 23:23:39 iliaa Exp $ */
++/* $Id: php_open_temporary_file.c,v 1.18.2.10.2.6 2006/10/13 01:12:11 iliaa Exp $ */
+
+ #include "php.h"
+
+@@ -207,6 +207,7 @@
+ PHPAPI int php_open_temporary_fd(const char *dir, const char *pfx, char **opened_path_p TSRMLS_DC)
+ {
+ int fd;
++ const char *temp_dir;
+
+ if (!pfx) {
+ pfx = "tmp.";
+@@ -215,11 +216,22 @@
+ *opened_path_p = NULL;
+ }
+
++ if (!dir || *dir == '\0') {
++def_tmp:
++ temp_dir = php_get_temporary_directory();
++
++ if (temp_dir && *temp_dir != '\0' && !php_check_open_basedir(temp_dir TSRMLS_CC)) {
++ return php_do_open_temporary_file(temp_dir, pfx, opened_path_p TSRMLS_CC);
++ } else {
++ return -1;
++ }
++ }
++
+ /* Try the directory given as parameter. */
+ fd = php_do_open_temporary_file(dir, pfx, opened_path_p TSRMLS_CC);
+ if (fd == -1) {
+ /* Use default temporary directory. */
+- fd = php_do_open_temporary_file(php_get_temporary_directory(), pfx, opened_path_p TSRMLS_CC);
++ goto def_tmp;
+ }
+ return fd;
+ }
diff --git a/lang/php4/files/patch-php.ini-dist b/lang/php4/files/patch-php.ini-dist
new file mode 100644
index 000000000000..5ba593157aab
--- /dev/null
+++ b/lang/php4/files/patch-php.ini-dist
@@ -0,0 +1,18 @@
+--- php.ini-dist.orig Fri Dec 30 18:19:43 2005
++++ php.ini-dist Mon Oct 16 08:12:28 2006
+@@ -155,6 +155,15 @@
+
+ ; Safe Mode
+ ;
++; SECURITY NOTE: The FreeBSD Security Officer strongly recommend that
++; the PHP Safe Mode feature not be relied upon for security, since the
++; issues Safe Mode tries to handle cannot properly be handled in PHP
++; (primarily due to PHP's use of external libraries). While many bugs
++; in Safe Mode has been fixed it's very likely that more issues exist
++; which allows a user to bypass Safe Mode restrictions.
++; For increased security we always recommend to install the Suhosin
++; extension.
++;
+ safe_mode = Off
+
+ ; By default, Safe Mode does a UID compare check when
diff --git a/lang/php4/files/patch-php.ini-recommended b/lang/php4/files/patch-php.ini-recommended
new file mode 100644
index 000000000000..a2baecd55e4f
--- /dev/null
+++ b/lang/php4/files/patch-php.ini-recommended
@@ -0,0 +1,18 @@
+--- php.ini-recommended.orig Fri Dec 30 18:19:43 2005
++++ php.ini-recommended Mon Oct 16 08:13:05 2006
+@@ -169,6 +169,15 @@
+ ;
+ ; Safe Mode
+ ;
++; SECURITY NOTE: The FreeBSD Security Officer strongly recommend that
++; the PHP Safe Mode feature not be relied upon for security, since the
++; issues Safe Mode tries to handle cannot properly be handled in PHP
++; (primarily due to PHP's use of external libraries). While many bugs
++; in Safe Mode has been fixed it's very likely that more issues exist
++; which allows a user to bypass Safe Mode restrictions.
++; For increased security we recommend to always install the Suhosin
++; extension.
++;
+ safe_mode = Off
+
+ ; By default, Safe Mode does a UID compare check when
diff --git a/lang/php5/Makefile b/lang/php5/Makefile
index e0d2013da065..90bd0d34af2c 100644
--- a/lang/php5/Makefile
+++ b/lang/php5/Makefile
@@ -7,7 +7,7 @@
PORTNAME= php5
PORTVERSION= 5.1.6
-PORTREVISION?= 1
+PORTREVISION?= 2
CATEGORIES?= lang devel www
MASTER_SITES= ${MASTER_SITE_PHP:S,$,:release,} \
http://downloads.php.net/ilia/:rc \
diff --git a/lang/php5/files/patch-ext_standard_dir.c b/lang/php5/files/patch-ext_standard_dir.c
new file mode 100644
index 000000000000..58a6bccb9cfe
--- /dev/null
+++ b/lang/php5/files/patch-ext_standard_dir.c
@@ -0,0 +1,20 @@
+--- ext/standard/dir.c.orig Mon Oct 16 07:08:36 2006
++++ ext/standard/dir.c Mon Oct 16 07:08:40 2006
+@@ -16,7 +16,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: dir.c,v 1.147.2.3 2006/02/26 10:49:50 helly Exp $ */
++/* $Id: dir.c,v 1.147.2.3.2.1 2006/10/04 23:19:25 iliaa Exp $ */
+
+ /* {{{ includes/startup/misc */
+
+@@ -286,7 +286,7 @@
+ RETURN_FALSE;
+ }
+
+- if (PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) {
++ if ((PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) || php_check_open_basedir(str TSRMLS_CC)) {
+ RETURN_FALSE;
+ }
+ ret = VCWD_CHDIR(str);
diff --git a/lang/php5/files/patch-main_php_open_temporary_file.c b/lang/php5/files/patch-main_php_open_temporary_file.c
new file mode 100644
index 000000000000..85f7c51ab47d
--- /dev/null
+++ b/lang/php5/files/patch-main_php_open_temporary_file.c
@@ -0,0 +1,43 @@
+--- main/php_open_temporary_file.c.orig Mon Oct 16 07:21:14 2006
++++ main/php_open_temporary_file.c Mon Oct 16 07:22:00 2006
+@@ -16,7 +16,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: php_open_temporary_file.c,v 1.34.2.2 2006/05/23 23:22:26 iliaa Exp $ */
++/* $Id: php_open_temporary_file.c,v 1.34.2.1.2.4 2006/10/13 01:11:30 iliaa Exp $ */
+
+ #include "php.h"
+
+@@ -206,6 +206,7 @@
+ PHPAPI int php_open_temporary_fd(const char *dir, const char *pfx, char **opened_path_p TSRMLS_DC)
+ {
+ int fd;
++ const char *temp_dir;
+
+ if (!pfx) {
+ pfx = "tmp.";
+@@ -214,11 +215,22 @@
+ *opened_path_p = NULL;
+ }
+
++ if (!dir || *dir == '\0') {
++def_tmp:
++ temp_dir = php_get_temporary_directory();
++
++ if (temp_dir && *temp_dir != '\0' && !php_check_open_basedir(temp_dir TSRMLS_CC)) {
++ return php_do_open_temporary_file(temp_dir, pfx, opened_path_p TSRMLS_CC);
++ } else {
++ return -1;
++ }
++ }
++
+ /* Try the directory given as parameter. */
+ fd = php_do_open_temporary_file(dir, pfx, opened_path_p TSRMLS_CC);
+ if (fd == -1) {
+ /* Use default temporary directory. */
+- fd = php_do_open_temporary_file(php_get_temporary_directory(), pfx, opened_path_p TSRMLS_CC);
++ goto def_tmp;
+ }
+ return fd;
+ }
diff --git a/lang/php5/files/patch-php.ini-dist b/lang/php5/files/patch-php.ini-dist
new file mode 100644
index 000000000000..6d84f3a80891
--- /dev/null
+++ b/lang/php5/files/patch-php.ini-dist
@@ -0,0 +1,18 @@
+--- php.ini-dist.orig Fri Dec 30 18:19:43 2005
++++ php.ini-dist Mon Oct 16 08:12:28 2006
+@@ -165,6 +165,15 @@
+
+ ; Safe Mode
+ ;
++; SECURITY NOTE: The FreeBSD Security Officer strongly recommend that
++; the PHP Safe Mode feature not be relied upon for security, since the
++; issues Safe Mode tries to handle cannot properly be handled in PHP
++; (primarily due to PHP's use of external libraries). While many bugs
++; in Safe Mode has been fixed it's very likely that more issues exist
++; which allows a user to bypass Safe Mode restrictions.
++; For increased security we always recommend to install the Suhosin
++; extension.
++;
+ safe_mode = Off
+
+ ; By default, Safe Mode does a UID compare check when
diff --git a/lang/php5/files/patch-php.ini-recommended b/lang/php5/files/patch-php.ini-recommended
new file mode 100644
index 000000000000..7b648b1ea0b5
--- /dev/null
+++ b/lang/php5/files/patch-php.ini-recommended
@@ -0,0 +1,18 @@
+--- php.ini-recommended.orig Fri Dec 30 18:19:43 2005
++++ php.ini-recommended Mon Oct 16 08:13:05 2006
+@@ -223,6 +223,15 @@
+ ;
+ ; Safe Mode
+ ;
++; SECURITY NOTE: The FreeBSD Security Officer strongly recommend that
++; the PHP Safe Mode feature not be relied upon for security, since the
++; issues Safe Mode tries to handle cannot properly be handled in PHP
++; (primarily due to PHP's use of external libraries). While many bugs
++; in Safe Mode has been fixed it's very likely that more issues exist
++; which allows a user to bypass Safe Mode restrictions.
++; For increased security we recommend to always install the Suhosin
++; extension.
++;
+ safe_mode = Off
+
+ ; By default, Safe Mode does a UID compare check when
diff --git a/lang/php53/Makefile b/lang/php53/Makefile
index e0d2013da065..90bd0d34af2c 100644
--- a/lang/php53/Makefile
+++ b/lang/php53/Makefile
@@ -7,7 +7,7 @@
PORTNAME= php5
PORTVERSION= 5.1.6
-PORTREVISION?= 1
+PORTREVISION?= 2
CATEGORIES?= lang devel www
MASTER_SITES= ${MASTER_SITE_PHP:S,$,:release,} \
http://downloads.php.net/ilia/:rc \
diff --git a/lang/php53/files/patch-ext_standard_dir.c b/lang/php53/files/patch-ext_standard_dir.c
new file mode 100644
index 000000000000..58a6bccb9cfe
--- /dev/null
+++ b/lang/php53/files/patch-ext_standard_dir.c
@@ -0,0 +1,20 @@
+--- ext/standard/dir.c.orig Mon Oct 16 07:08:36 2006
++++ ext/standard/dir.c Mon Oct 16 07:08:40 2006
+@@ -16,7 +16,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: dir.c,v 1.147.2.3 2006/02/26 10:49:50 helly Exp $ */
++/* $Id: dir.c,v 1.147.2.3.2.1 2006/10/04 23:19:25 iliaa Exp $ */
+
+ /* {{{ includes/startup/misc */
+
+@@ -286,7 +286,7 @@
+ RETURN_FALSE;
+ }
+
+- if (PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) {
++ if ((PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) || php_check_open_basedir(str TSRMLS_CC)) {
+ RETURN_FALSE;
+ }
+ ret = VCWD_CHDIR(str);
diff --git a/lang/php53/files/patch-main_php_open_temporary_file.c b/lang/php53/files/patch-main_php_open_temporary_file.c
new file mode 100644
index 000000000000..85f7c51ab47d
--- /dev/null
+++ b/lang/php53/files/patch-main_php_open_temporary_file.c
@@ -0,0 +1,43 @@
+--- main/php_open_temporary_file.c.orig Mon Oct 16 07:21:14 2006
++++ main/php_open_temporary_file.c Mon Oct 16 07:22:00 2006
+@@ -16,7 +16,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: php_open_temporary_file.c,v 1.34.2.2 2006/05/23 23:22:26 iliaa Exp $ */
++/* $Id: php_open_temporary_file.c,v 1.34.2.1.2.4 2006/10/13 01:11:30 iliaa Exp $ */
+
+ #include "php.h"
+
+@@ -206,6 +206,7 @@
+ PHPAPI int php_open_temporary_fd(const char *dir, const char *pfx, char **opened_path_p TSRMLS_DC)
+ {
+ int fd;
++ const char *temp_dir;
+
+ if (!pfx) {
+ pfx = "tmp.";
+@@ -214,11 +215,22 @@
+ *opened_path_p = NULL;
+ }
+
++ if (!dir || *dir == '\0') {
++def_tmp:
++ temp_dir = php_get_temporary_directory();
++
++ if (temp_dir && *temp_dir != '\0' && !php_check_open_basedir(temp_dir TSRMLS_CC)) {
++ return php_do_open_temporary_file(temp_dir, pfx, opened_path_p TSRMLS_CC);
++ } else {
++ return -1;
++ }
++ }
++
+ /* Try the directory given as parameter. */
+ fd = php_do_open_temporary_file(dir, pfx, opened_path_p TSRMLS_CC);
+ if (fd == -1) {
+ /* Use default temporary directory. */
+- fd = php_do_open_temporary_file(php_get_temporary_directory(), pfx, opened_path_p TSRMLS_CC);
++ goto def_tmp;
+ }
+ return fd;
+ }
diff --git a/lang/php53/files/patch-php.ini-dist b/lang/php53/files/patch-php.ini-dist
new file mode 100644
index 000000000000..6d84f3a80891
--- /dev/null
+++ b/lang/php53/files/patch-php.ini-dist
@@ -0,0 +1,18 @@
+--- php.ini-dist.orig Fri Dec 30 18:19:43 2005
++++ php.ini-dist Mon Oct 16 08:12:28 2006
+@@ -165,6 +165,15 @@
+
+ ; Safe Mode
+ ;
++; SECURITY NOTE: The FreeBSD Security Officer strongly recommend that
++; the PHP Safe Mode feature not be relied upon for security, since the
++; issues Safe Mode tries to handle cannot properly be handled in PHP
++; (primarily due to PHP's use of external libraries). While many bugs
++; in Safe Mode has been fixed it's very likely that more issues exist
++; which allows a user to bypass Safe Mode restrictions.
++; For increased security we always recommend to install the Suhosin
++; extension.
++;
+ safe_mode = Off
+
+ ; By default, Safe Mode does a UID compare check when
diff --git a/lang/php53/files/patch-php.ini-recommended b/lang/php53/files/patch-php.ini-recommended
new file mode 100644
index 000000000000..7b648b1ea0b5
--- /dev/null
+++ b/lang/php53/files/patch-php.ini-recommended
@@ -0,0 +1,18 @@
+--- php.ini-recommended.orig Fri Dec 30 18:19:43 2005
++++ php.ini-recommended Mon Oct 16 08:13:05 2006
+@@ -223,6 +223,15 @@
+ ;
+ ; Safe Mode
+ ;
++; SECURITY NOTE: The FreeBSD Security Officer strongly recommend that
++; the PHP Safe Mode feature not be relied upon for security, since the
++; issues Safe Mode tries to handle cannot properly be handled in PHP
++; (primarily due to PHP's use of external libraries). While many bugs
++; in Safe Mode has been fixed it's very likely that more issues exist
++; which allows a user to bypass Safe Mode restrictions.
++; For increased security we recommend to always install the Suhosin
++; extension.
++;
+ safe_mode = Off
+
+ ; By default, Safe Mode does a UID compare check when